Message authentication

ABSTRACT

There is disclosed a technique of providing message authentication in a communication system comprising the steps of: transmitting a first message from a first device to a second device; transmitting a second message from the second device to the first device, the second message including a message authentication code determined using said first and second messages; transmitting a third message from the first device to the second device, the third messages including a message authentication code determined using the third message. The message authentication code of the third message may be additionally based on the second or the second and first messages.

FIELD OF THE INVENTION

The present invention generally relates to a method for checking theintegrity of messages in a communication system, particularly but notexclusively between a mobile station and a cellular network.

BACKGROUND OF THE INVENTION

All telecommunication is subject to the problem of how to make sure thatthe information received has been sent by an authorized sender and notby somebody who is trying to masquerade as the sender. The problem isparticularly evident in cellular telecommunication systems, where theair interface presents a potential platform for eavesdropping andreplacing the contents of a transmission by using higher transmissionlevels, even from a distance. A basic solution to this problem is theauthentication of the communicating parties. An authentication processaims to discover and check the identity of both the communicatingparties, so that each party receives information about the identity ofthe other party and can rely on the identification to a sufficientdegree. Authentication is typically performed in a specific procedure atthe beginning of a connection. However, this does not adequately protectsubsequent messages from unauthorized manipulation, insertion, anddeletion. Thus, there is a need for the separate authentication of eachtransmitted message. The latter task can be carried out by appending amessage authentication code (MAC-I) with a particular value to themessage at the transmitting end and checking the MAC-I value at thereceiving end.

A MAC-I is typically a relatively short string of bits based in somespecified way on the message it protects and on a secret key known bothby the sender and by the recipient of the message. The secret key isgenerated and agreed on typically in connection with the authenticationprocedure at the beginning of the connection. In some cases thealgorithm that is used to calculate the MAC-I based on the secret keyand on the message may also be secret.

The process of authentication of single messages is often calledintegrity protection. To protect the integrity of signaling, thetransmitting party computes a MAC-I value based on the message to besent and the secret key using the specified algorithm, and sends themessage with the MAC-I value. The receiving party recomputes a MAC-Ivalue based on the message and the same secret key according to the samespecified algorithm, and compares the received MAC-I and the calculatedMAC-I. If the two MAC-I values match, the recipient can trust that themessage is intact and has been sent by the authorized party.

Known integrity protection schemes are not completely reliable. A thirdparty can attempt to manipulate a message transmitted between a firstand a second party. There are two main alternative methods for forging aMAC-I value for a modified or a new message: obtaining the secret key;or by trying directly without the secret key.

The secret key can be obtained by a third party in two ways:

-   -   i) by computing all possible keys until a key is found matching        the data of observed message MAC-I pairs, or by otherwise        breaking the algorithm for producing MAC-I values; or ii) by        directly capturing a stored or transmitted secret key.

The original communicating parties can prevent a third party fromobtaining the secret key by using an algorithm which iscryptographically strong and which uses a secret key which is longenough to prevent the exhaustive search of all keys, and by using othersecurity means for the transmission and storage of secret keys.

A third party may try to disrupt the sending of messages between the twoparties without a secret key by guessing the correct MAC-I value, or byreplaying some earlier message transmitted between the two parties forwhich message the correct MAC-I is known from the original transmission.

Guessing of the correct MAC-I value can be made difficult by using longMAC-I values. The MAC-I value should be long enough to reduce theprobability of correct guessing to a sufficiently low level compared tothe benefit gained by one successful forgery. For example, using a 32bit MAC-I value reduces the probability of a correct guess to1/4294967296, which is small enough for most applications.

Obtaining a correct MAC-I value using the replay attack, i.e. byre-playing an earlier message, can be prevented by introducing a varyingparameter to the calculation of the MAC-I values. For example, a timestamp value, a sequence number, or a random number can be used asfurther input to the MAC-I algorithm, in addition to the secretintegrity key and the message. In the following, the prior art methodsare described in more detail.

When using sequence numbers, each party has to keep track of whichsequence numbers have already been used and are not acceptable any more.The easiest way to implement this is to store the highest sequencenumber used in MAC-I calculations so far. This approach has the drawbackthat between connections each party must maintain state informationwhich is at least to some level synchronized. That is, they need tostore the highest sequence number used so far. This requires the use ofa large database in the network.

A further approach is to include a random number in each message, whichthe other side must use in MAC-I calculation the next time a message issent for which MAC-I authentication is required. This approach has thesame drawback as the previous one, i.e. between connections each partymust maintain state information, which requires the use of a largedatabase in the network.

By way of example, FIG. 1 illustrates the computation of a messageauthentication code in the UTRAN (UMTS Terrestrial Radio AccessNetwork), which is a wideband multiple access radio network currentlybeing specified in the 3GPP (Third Generation Partnership Project). Thelength of the MAC-I used in UTRAN is 32 bits.

Block 100 represents the UMTS integrity algorithm for generating themessage authentication code. The UMTS integrity algorithm used in block100 is a one-way cryptographic function for calculating the 32 bitMessage Authentication Code (MAC-I) based on the five input parametersshown in FIG. 1. A one-way function makes it impossible to derive theunknown input parameters from a MAC-I, even if all but one inputparameter are known.

The input parameters for calculating the MAC-I 20 are: the actualsignaling message 10 (after encoding) to be sent, a secret integrity key12, a number COUNT-I value 14 for the message to be integrity protected,a value indicating the direction of transmission 16, (i.e. whether themessage is sent in uplink or downlink direction), and a random number 18(FRESH) generated by the network. The COUNT-I value consists of a hyperframe number HFN and the message sequence number SN. The computing block100 calculates the message authentication code by applying theafore-mentioned parameters to the integrity algorithm, which is calledthe f9 algorithm in 3GPP Release'99 specifications.

FIG. 2 illustrates a typical message to be sent over a radio interface.The message is a layer N protocol data unit (PDU) 200, which istransferred as a payload 30 in a layer N-1 PDU 201. In the presentexample, layer N represents the Radio Resource Control (RRC) protocol inthe radio interface and layer N-1 represents the Radio Link Control(RLC) layer. The layer N-1 PDU normally has a fixed size, which dependson the physical layer (the lowest layer, not visible in FIG. 2) thechannel type used and on other parameters, e.g. modulation, channelcoding, interleaving. If layer N PDUs are not exactly the size of thepayload 30 offered by layer N-1 as is normally the case, layer N-1 canutilize functions like segmentation, concatenation, and padding to makelayer N-1 PDUs a fixed size.

In the example discussed herein, a layer N PDU consisting of the actualsignaling data 22 and the Integrity Check Info is discussed. TheIntegrity Check Info consists of the 32 bit MAC-I 26 and the messagesequence number SN 24, which is needed at the peer end for therecalculation of MAC-I. The total length of the message 200 is then acombination of the signaling bits and the Integrity Check Info bits.

At the receiving end the message is received including the signalingdata part and the Integrity Check Info (which comprises the messagesequence number SN and the 32-bit MAC-I). The signaling data togetherwith the Integrity Check Info (ie the secret integrity the COUNT-Ivalue, the direction of transmission, and the random number (FRESH)),are processed in a computing block, for example a function like theUTRAN f9 function, with a fixed function. A thus generated receivedcomputed message authentication code XMAC-I is then compared with themessage authentication code MAC-I received in the transmitted message.If the two codes match (ie XMAC-I matches MAC-I), the recipient cantrust that the message is intact, and the recipient then accepts themessage. Otherwise, the message is discarded.

The frame dependent COUNT-I number is actually the sum of a locallygenerated and incremented frame number HFN (Hyper Frame Number), whichis added to the message sequence number, for example RRC_SN, andincluded in the message. The HFN is incremented each time SN reaches itsmaximum value (SN is normally very short, e.g. 4 bits).

As mentioned hereinabove the transmitted.block (layer N-1 PDU) normallyhas a fixed length. However, it may be that the signaling data bitstogether with the Integrity Check Info require more space than thatprovided in one layer N-1 PDU payload. One known way to deal with thisproblem is to segment the signaling message.

In segmentation a signaling message, which is too long to fit in asingle layer N-1 block, is passed on to a lower layer, where it is splitup into two blocks (two layer N-1 PDUs), each with an appropriate layerN-1 header. Two blocks is just an example here, naturally a largermessage may require even more than two blocks. If the second layer N-1PDU is not totally filled with the layer N data, padding bits areinserted. At the receiving end before transferring to a higher layer,the two layer N-1 payloads are reassembled into one layer N PDU. To aperson skilled in the art, it is immediately obvious that the use ofpadding bits is a potential waste of resources.

TDMA systems, for example, have a limited radio block size, whereby amessage including the full message authentication code does notnecessarily fit into one radio block. This leads to the difficulty thatthe message has either to be sent without the MAC-I or in one or moreadditional segments.

In addition, there are certain time critical messages, for example,handover messages, which must be sent in one radio block only.Generally, segmentation is not desirable, because it wastes radioresources and slows down the signaling procedure unnecessarily.

One way to solve the above problem is to make the length of the messageauthentication code shorter than 32 bits. It has been proposed that sucha message should include a field that defines the length of the messageauthentication code, a two-bit identifier, for example. This identifierallows certain discrete values: 8, 16, 24 and 32. This solution stillhas some problems. First, the identifier always takes two extra bitsfrom the length of the message. Second, the discrete values are notflexible, and in some cases this can lead to the same problem as above,i.e. segmentation is needed for certain messages.

A particularly advantageous technique for addressing the above statedproblems is disclosed in Finnish patent application number FI20002453.This discloses a technique that allows the transmission of a message ina single lower layer data block even when the length of the messageincluding the integrity check info exceeds the length of the lower layerdata block.

In all current known solutions, each message is authenticatedseparately. Each message contains a sequence number of the protocol itbelongs to. Hence a binding between different steps in the existingsolutions is achieved through the sequence number. The drawback toexisting solutions is that at each step a 32-bit MAC is transmittedwhich takes a significant part of the signaling bandwidth.

It is therefore an object to the present invention to provide animproved technique for taking the integrity of messages.

SUMMARY OF THE INVENTION

In accordance with the present invention there is provided a method ofproviding message authentication in a communication system comprisingthe steps of: transmitting a first message from a first device to asecond device; transmitting a second message from the second device tothe first device, the second message including a message authenticationcode determined using said first and second messages; transmitting athird message from the first device to the second device, the thirdmessages including a message authentication code determined using thethird message.

In order to minimize the risk of ‘replay attacks’, the sequence numbersshould preferably be maintained in the protocol. This is particularlyimportant if the messages are short or otherwise small in number. Themethod may further comprise the step of storing the first message in thefirst device.

The method may further comprise the steps of: responsive to receipt ofthe second message, determining an expected message authentication codeusing said first and second messages; and comparing the expected messageauthentication code to the received message authentication code. Themethod may further comprise the step of discarding the second message ifthe expected message authentication code does not match the receivedmessage authentication code.

The method may further comprise the steps of: responsive to receipt ofthe third message, determining an expected message authentication codeusing said third message; and comparing the expected messageauthentication code to the received message authentication code. Themethod may further comprise the step of discarding the third message ifthe expected message authentication code does not match the receivedmessage authentication code.

The third message may include a message authentication code determinedusing the third message and the second message.

The method may further comprise the step of storing the second messagein the second device.

The method may further comprise the steps of: responsive to receipt ofthe third message, determining an expected message authentication codeusing said third message and said second message; and comparing theexpected message authentication code to the received messageauthentication code. The method according to claim 9 may furthercomprise the step of discarding the third message if the expectedmessage authentication code does not match the received messageauthentication code.

The third message may include a message authentication code determinedusing the third message, the second message, and the first message.

The method may further comprise the step of storing said first messagein the second device.

The method may further comprise the steps of: responsive to receipt ofthe third message, determining an expected message authentication codeusing said third message, said second message, and said first message;and comparing the expected message authentication code to the receivedmessage authentication code. The method may further comprise the step ofdiscarding the third message if the expected message authentication codedoes not match the received message authentication code.

The invention may thus advantageously reduce the bandwidth used forauthentication. In a multi-step protocol, the invention provides for themessages exchanged at different steps to be grouped together for messageauthentication code computations. A message is saved by the sendingparty for subsequent verification at a later step.

The number of required message authentication code computations andtransmissions may be reduced to two independently of the number of stepsin the authentication procedure.

In three step signaling procedures, there is thus no need for a messageauthentication code to be computed in the first step.

The invention is further advantageously applicable to procedurescontaining more than three messages. All communications that occurbetween two parties in various steps may be authenticated by thecommunicating parties in the last two steps of the protocol.

The first and second devices are preferably elements of a mobilecommunication system.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be described more closely with reference to theaccompanying drawings, in which

FIG. 1 depicts the computation of a message authentication code;

FIG. 2 shows the contents of a message;

FIG. 3 illustrates a first embodiment of the present invention;

FIG. 4 illustrates a second embodiment of the present invention;

FIG. 5 depicts the creation of a message according to a preferredimplementation;

FIG. 6 is a flow chart showing the creation of a message in the GERANsystem, and

FIG. 7 is a flow chart of actions at the receiving end.

DESCRIPTION OF PREFERRED EMBODIMENTS

The invention is described herein by way of reference to particularnon-limiting examples, and with particular reference to a GERAN system.The GERAN is specified by the Third Generation Partnership Project(3GPP). GERAN is an evolution of the GSM-system (Global System forMobile Communication), the TDMA/136-system (Time Division MultipleAccess System), and the EDGE-system. GERAN has no integrity protectionof its own. Implementation of the same integrity algorithms used inUTRAN is suggested for a radio system using the GPRS/EDGE-radioconnection network GERAN. This leads to certain significant problems,especially the problem of message segmentation.

The present invention can be advantageously used for implementing anintegrity algorithm in the GERAN system, and the present invention isdescribed herein with reference to example implementations in such asystem. However, the invention is not limited in its application to sucha system.

Radio interface protocols are needed to set up, reconfigure, and releaseRadio Bearer services. The protocol layers above the physical layer arecalled the data link layer (layer 2) and the network layer (layer 3).The control plane layer 2 contains two sub-layers: Medium Access Control(MAC) protocol and Radio Link Control (RLC) protocol. Layer 3 consistsof one protocol, called Radio Recourse Control (RRC), which belongs tothe control plane. The channels offered by the physical layer to the MAClayer are called logical channels. It shall be appreciated that the term‘logical channel’ can be used for other purposes in other systems. Forexample, in the UTRAN the term logical channel referes to a channeloffered by the MAC layer to higher layers.

All higher layer signaling (mobility management, call control, sessionmanagement, etc.) is encapsulated into RRC messages for transmissionover the radio interface.

The following provides a description of integrity protection for amessage to be sent over a radio link.

Referring to FIG. 3, a first embodiment of the present invention isdescribed. For the purpose of this illustrative example, it is assumedthat messages are being exchanged between the mobile station 40 and anetwork 42. It is assumed that the mobile station 40 initiates theexchanged messages.

The mobile station 40 constructs a message for transmission in thenormal way in accordance with standard procedures. Prior to transmittingthe message, as indicated by step 50, the mobile station 40 stores theinitial message, labeled message_1, in its memory. As indicated by arrow44, message_1 is then transmitted from the mobile station 40 to network42. In accordance with the present invention, the first message is sentwithout a message authentication code. The network 42 receives the firstmessage from the mobile station, and prepares a second message,message_2, for transmission back to the mobile station 40. In addition,in a step 52 the network 42 calculates a first message authenticationcode, MAC_I_1, using both the first message as received by the mobilestation and the second message which it is to transmit to the mobilestation. Thus the message authentication code to be transmitted with thesecond message is based on the combination of both the first and secondmessages. As indicated by arrow 46, the network 42 then transmits asecond message, message_2, with the message authentication code MAC_I_1.

Using the received second message, message_2, and the stored firstmessage, message_1, the mobile station 40 in a step 54 calculates theexpected message authentication code XMAC_I_1. If XMAC_I_1 is identicalto MAC_I_1, then the mobile station 40 continues with messagetransmission. Otherwise the received message message_2 is discarded.

In this embodiment of the invention, the mobile station 40 prepares totransmit a third message message_3 to the network 42. In the step 56 themobile station 40 prepares a second message authentication code MAC_I_2using the content of the third message message_3. As represented byarrow 58, the third message message_3 is transmitted to the network 42together with the second message authentication code MAC_I_2.

The network 42 then calculates the expected message authentication codeXMAC_I_2 using the third message message_3 in step 58, and in the normalway compares this to the transmitted authentication code MAC_I_2.

Whilst in FIG. 3 the three messages are identified as message_1,message_2 and message_3, in actual signaling procedures they may benamed, for example, XXX_request, XXX_command, XXX_complete (or“confirm”).

Thus in accordance with the first embodiment of the invention, themessage authentication code is left out of the first message. Themessage authentication code for the second message is calculated overthe first and second messages, although the first message is notreturned to the sender. The third message is integrity protected“normally”, with a message authentication code calculated over the thirdmessage itself. This technique ensures that the procedure cannot be usedillegally by an intruder, even if the first message is not integrityprotected.

Referring to FIG. 4, the second embodiment of the present invention isnow described. Where appropriate, the same reference numerals as used inFIG. 3 are used to refer to identical steps or procedures. Theembodiment of the invention described with reference to FIG. 4 issuitable for signaling procedures normally having either two or threemessages.

As in the embodiment described hereinabove with reference to FIG. 3, themobile station 40 prepares a first message message_1 for transmission tothe network 42, and prior to transmitting it, as represented by arrow44, stores it in a memory as represented by step 50. In step 52, thenetwork 42 calculates a first message authentication code MAC_I_1 usingboth the first message and the second message. In an additional step 53,the network 42 saves the second message message_2 into its memory beforetransmission. As in the embodiment of FIG. 3, the network 42 transmitsthe second message message_2 together with the first messageauthentication code MAC_I_1 as indicated by arrow 46 to the mobilestation 40.

In step 54, as in the embodiment of FIG. 3, the mobile station 40calculates the expected message authentication code XMAC_I_1 using boththe received second message and the stored first message. If theexpected message authentication code XMAC_I_1 is identical to thereceived message authentication code MAC_I_1, then the procedure iscontinued with.

In this embodiment of the present invention, the mobile station 40 thencalculates in step 55 a second message authentication code MAC_I_2 usingboth the third message to be sent, message_3, and the received secondmessage, message_2. The mobile station 40 then transmits, as indicatedby arrow 48, the third message, message_3, together with the messageauthentication code MAC_I_2.

The network 42 then calculates the expected second messageauthentication code XMAC_I_2 using both the stored second messagemessage_2 and the received third message message_3 in step 59.

Thus, in common with the first embodiment described hereinabove withreference to FIG. 3, the second embodiment as described with referenceto FIG. 4 similarly does not include any message authentication code inthe first transmitted message. The difference of the second embodimentcompared to the first embodiment is that the third message contains amessage authentication code calculated over both the second and thirdmessages, whereas in the first embodiment the message authenticationcode is calculated over only the third message.

The technique of FIG. 4 may be more advantageous in situations where thethird message is added only for this purpose, ie it does not contain anyactual information but is merely an acknowledgement message and is thusvery short. From a security viewpoint, the calculation of the integritycheck sum over a longer message is beneficial.

The addition of a third message may be more preferable than segmentationof the first message, because the segmentation solution necessitatesadditional acknowledgement (on data link layer level).

In a third embodiment of the present invention, the messageauthentication code transmitted with the third message is calculatedover all three messages, ie message_1, message_2 and message_3. Theadvantage of this embodiment is that each check sum protects the maximumamount of the data communicated in the procedure. Thus, this variationexcludes the possibility of an attack where a “man in the middle”replaces the first message with another one and modifies the messageauthentication code in the second message accordingly. Such an attackcould only be successful if the attacker is able to modify the check sumcorrectly. There are two possible ways to do this: 1) the replay of anearlier message authentication code; or 2) pure guessing.

The first way is only possible if the counter number repeats, whichmeans the same integrity key has been in use for too long. Thepossibility of the second way being successful is a very lowprobability. However, if the message authentication code of the secondmessage is not a full 32-bits long, the probability of the guessingattack becomes higher.

If the “man in the middle” is to have any chance of making a successfulattack when the third embodiment of the invention is in use, then it isnecessary for either 1) or 2) to be succeeded twice, which is much moredifficult.

The present invention can particularly advantageously be used incombination with the technique described in Finnish patent applicationnumber FI120002453. Such a technique is described hereinbelow. It shouldbe noted that the techniques described hereinbelow may only be utilizedin steps where a message authentication code is being generated, andhence would not be used in accordance with the invention in relation tothe generation and transmission of the first message. It should also benoted that other techniques may also be used.

FIG. 5 illustrates a situation where a signaling message 500 is to besent in a secure manner over a lower layer radio link in one fixedlength radio block, which can be a TDMA block, for example, withoutsegmentation. The maximum block size allowed by the lower layer datablock 501 is indicated by dotted lines in the figure. The signalingmessage without the Integrity Check Info (ICI) is in the illustratedsituation shorter than the said maximum block size. This leads to asituation where the data to be sent either has to be segmented or sentwithout the message authentication code. Neither of these alternativesis acceptable.

In order for the data to be sent in a sufficiently secure manner over aradio link, the computed message authentication code should be appendedto it. However, it must be shortened in a predefined way (described indetail below). This truncated message authentication code diminishes thereliability of the integrity protection to some degree but stillprovides sufficient protection for the message. It should be noted, thatthe sequential number SN needed to form the COUNT-I parameter cannot betruncated. The message authentication code may be computed in the usualway in the device concerned and the MAC-I added with the messagesequence number to the encoded message to form the actual PDU. Then thelength of the message (without the Integrity Check Info) and/or thelength of the PDU can be examined as follows.

-   -   i) If the length of the message is longer than the length of the        lower layer data block, the PDU is segmented into two or more        data blocks as in prior art.    -   ii) If the length of the PDU is shorter than the length of the        lower layer data block, the PDU is placed into said lower layer        data block and the rest of the block is filled with padding bits        (normally by the lower layer itself).    -   iii) If the length of the PDU is longer than the length of the        lower layer data block but the extra bits are less than the size        of the MAC-I, then the computed message authentication code is        truncated so that the truncated PDU fits into one layer N-1 data        block. However, truncation of the message authentication code        diminishes the security of the message exchange. Therefore, the        number of bits the MAC-I is allowed to be truncated by is        limited to a certain maximum value, i.e. the truncated message        authentication code has a certain minimum value. Thereafter, the        truncated PDU is sent via a radio interface to the receiving        end. At the receiving end the integrity is examined of the PDU        received. First, the part including the signaling bits and the        part including the Integrity Check Info are separated. Then a        message authentication code is recomputed based on exactly the        same algorithm and using the same parameters as were used at the        transmitting end. The message authentication code of the        received message is then compared with the recomputed        authentication code.

FIG. 6 shows as a flowchart a more detailed example of oneimplementation of the method according to the invention from the pointof view of the transmitting end.

At stage 600 a time critical RRC message is to be sent through a radiointerface, for example from the network to a mobile.

Most signaling messages sent between a mobile station MS and thenetwork, for example, must be integrity protected. Examples of suchmessages are RRC, MM, CC, GMM, and SM messages. Integrity protection isapplied at the RRC layer, both in the mobile station and in the network.

Integrity protection is usually performed for all RRC (Radio RecourseControl) messages, with some exceptions. These exceptions can be:

-   -   1. messages that are assigned to more than one recipient,        —messages that have been sent before integrity keys were created        for the connection,    -   2. frequently repeated messages, including information which        does not need integrity protection.

The message is encoded according to the specified message transfersyntax at stage 601. The encoded message (bit string) is called here E.

A 32-bit message authentication code MAC-I, which is to be added to theencoded message, is calculated at stage 602.

The message authentication code not only depend on the encoded messagebut also on several other parameters. The following input parameters areneeded for calculation of the integrity algorithm: the encoded message,the 4-bit sequence number SN, the 28-bit hyper-frame number HFN, the32-bit random number FRESH, the 1-bit direction identifier DIR, and themost important parameter—the128-bit integrity key IK. The short sequencenumber SN and the long sequence number HFN together compose the serialintegrity sequence number COUNT-I.

When the message authentication code is computed using the UMTSintegrity algorithm and the above parameters, it is guaranteed that noone other than the actual sender can add the correct MAC-I code to thesignaling message. COUNT-I, for example, prevents the same message frombeing sent repeatedly. However, if the same signaling message for somereason or other is to be sent repeatedly, the MAC-I code differs fromthe MAC-I code that was in the previously sent signaling message. Theaim of that is to protect the message as strongly as possible againsteavesdroppers and other fraudulent users.

Due to the fact that a TDMA radio block has a fixed length, the lengthof the message has to be checked to avoid segmentation of the message.The RRC layer makes a decision as to whether the segmentation of themessage concerned is to be allowed or not.

At stage 603 the total length of the signaling message to be sentwithout the message authentication code is calculated using thefollowing formula:X=max_size−sizeof(E)−sizeof(RRC_SN)

In the above formula max_size is the maximum size (in bits) of a RRCmessage that can be sent in one radio block (i.e. there is no need forsegmentation). Sizeof(E) is the size (in bits) of the encoded messageand sizeof(RRC_SN) is the size of the RRC sequence number, a 4-bitworking assumption. X defines the length (in bits) of the rest of thefixed length message, which is still left after the minimum number ofbits are reserved for the message authentication code, the untruncatedMAC-I size may be different.

Next, at stage 604, a comparison is made to ascertain whether thecalculated X is between values 0 and min_MACI_len, where the lattervalue is the minimum allowed length for the message authentication code.This minimum length is a predefined value, which can be either the samefor all messages or even a message type specific value. It is clear thatthe smaller the value, the weaker the protection. So it is obvious thata minimum length must be determined so that the message can be sent withadequate security.

If the answer after said comparison is YES, this means that the messageauthentication code does not fit with the signaling message to be sentin one radio block. In other words, the space left in one radio block istoo short even for a shortened message authentication code after thesignaling message is put into the block. If this is the case, the systemprotocol defines 605 as the next action to be carried out.

If the answer after comparison is NO, the next step is to comparewhether X is between values min_MACI_len and 32, stage 606.

If X is between those values, i.e. if the answer after the comparison instage 604 is YES, then X bits of the message authentication code withthe RRC_SN are added to the encoded message, stage 607. The sequencenumber RRC_SN is needed for integrity protection, that is, forcalculation of the message authentication code at the receiving end.Note that the MAC-I size is also 32 bits in the UTRAN system. In someother systems, the ‘normal’ MAC-I size may be something different.

The length of the message authentication code is shortened in apredefined way. Thus, the size of the message authentication codetransmitted over the radio path depends dynamically on the size of eachencoded message, not on the type of the message.

The decisions are made at the RRC layer as to the minimum messageauthentication code size and as to when the size of the said code may beshortened. In some cases the RRC layer can make the decision that themessage authentication code is not to be shortened even though thiswould have been possible. Such cases might occur when strong protectionis demanded for a message.

The next step 611 is to send the message including the integrityprotection info (E+MAC-I+RRC_SN) to the lower layers for transmissionover the radio interface to the mobile station.

If the answer in the above comparison 604 is NO, a final comparison ismade as to whether the value of X is greater than 31, stage 608. If theanswer is YES, this means that neither shortening nor segmentation isneeded. Now the whole message authentication code and the RRC_SN areappended to the encoded message E, stage 609. The next step is stage611.

If the answer to the comparison at stage 608 is NO, i.e. if X is smallerthan 0, which means that the size of the encoded message sizeof(E) isgreater than the maximum size of the RRC message max_size, then twodifferent alternatives A and B, are possible at stage 610:

-   -   1. add the entire MAC-I (+RRC_SN) to the message;    -   2. set sizeof(E)=(sizeof(E)−max_size) and rerun the previous        steps.

Which of the two above alternatives is selected depends on the protocolaccording to the system.

Alternative A means that the whole message authentication code with thesequence number RRC_SN is added to the block, since the message has tobe segmented anyway. Thus with this alternative, it is not importantwhether adding Integrity Protection Info causes additional segmentationor not.

In alternative B, the attempt is made to avoid the additionalsegmentation caused by the addition of Integrity Check Info. Thus thesizeof(E) is set one full data block shorter than what was given instage 601, and the truncation algorithm for the MAC-I is rerun startingfrom step 603.

FIG. 7 shows as a flowchart an example of one implementation of themethod according to the invention from the point of view of thereceiving end.

At stage 700 the receiving end gets a Service Data Unit (SDU) comprisingthe signaling data M from the lower layers. It is assumed here that thismessage is the same as in the previous example in FIG. 6. The next stepis that the part including signaling data bits and the part includingthe Integrity Check Info MAC-I (the message authentication code with thesequence number the RRC_SN) are separated and a message authenticationcode with RRC sequence number RRC_SN is decoded in stage 701. The actualmessage (signaling data) can still be stored as an encoded bit string atthis point.

In prior art systems the message received is discarded immediately ifthe received and the recomputed message authentication codes do notmatch. But according to the described embodiment of the invention, thereceiving end first examines the length of the message authenticationcode and, depending on the result, it then decides, if and how themessage is to be processed further.

For example, if the receiving end finds that the message authenticationcode received is shorter than it should be, it may assume that the codehas been truncated. Instead of n bits the truncated code comprises mbits. If the truncation exceeds the predetermined maximum amount knownby the receiving end, the message is discarded. If truncation does notexceed the predetermined maximum amount as known by the receiving end,the bits of the truncated message authentication code are comparedbit-by-bit to the bits of the recomputed authentication code of fulllength. When the m bits of the truncated message authentication codematch the corresponding bits of the recomputed message authenticationcode, the integrity check of the message received is passed.

The length of the message authentication code of the message received isexamined at stages 702 and 706. In addition, the length of the entiremessage (including the signaling data and the integrity check info)received is also examined at stage 704.

At stage 702 a check is made as to whether the length of the MAC-I is‘normal’, in this example 32 bits. If YES (the answer to stage 702 isNO), the flow proceeds to stage 703, where the message is processed inthe normal way. The message authentication code is checked, the messageis decoded, etc. using the same algorithm and parameters as were used atthe transmitting end.

Provided that stage 702 yields the YES alternative, meaning that theMAC-I has been truncated, a check is made as to whether the length ofthe message is a multiple of the max_size (sizeof(M) mod max_size—0),justifying the MAC-I truncation. A NO alternative yields a protocolerror, for which reason the message received is discarded 705.

A YES answer after stage 704 leads to stage 706, when a comparison ismade as to whether the length of the message authentication code isgreater than or equal to the minimum allowed MAC-I length(min_MACI_len). A NO alternative yields a protocol error, for whichreason the received message is discarded 707. If the length is greaterthan or equal to the minimum value, the transmitting end may haveshortened the MAC-I code in the correct way. With the integrity key andall the other needed parameters, the expected message authenticationcode XMAC-I is calculated 708, using the same algorithm as for thetransmitting end. The calculated XMAC-I has to be truncated in order tocompare its size with the size of the transmitted MAC-I, stage 709. Ifthe truncated XMAC-I does not correspond to the transmitted truncatedMAC-I 710, an integrity error is found and the received message isdiscarded 711. If the result of the comparison is positive, the messageis decoded 712. The final check 713 is made after decoding the actualsignaling data 712. The final check is to find out whether there aresome padding bits in the received message. Since the MAC-I has beentruncated due to message size, no padding bits are allowed (since thepadding bits should have been used for the MAC-I). The Integrity checkis OK whenever no RRC padding bits are found 713, i.e. it is thenensured that the message has been sent from the authorized party 715.Otherwise, a protocol error is found and the message is discarded, stage714.

The above defined preferred technique for generation of the messageauthentication code may be used in the embodiments of the presentinvention at those steps where a message authentication code isgenerated.

An implementation and embodiment of the present invention has beenexplained above with some examples. However, it is understood that theinvention is not restricted to the details of the above embodiment andthat numerous changes and modifications can be made by those skilled inthe art without departing from the characteristic features of theinvention. The embodiment described is to be considered illustrative butnot restrictive. Therefore, the invention should be limited only by theattached claims. Thus, alternative implementations defined by theclaims, as well as equivalent implementations, are included in the scopeof the invention.

For example, instead of at the RRC layer the decision concerning theMAC-I size can be made at some other layer, e.g. the RLC layer. In thatcase, the RLC must know whether segmentation of the message(s) in thetransmission buffer is to be allowed or not.

The protocol layers from top to bottom may be, for example, RRC, LLC(Logical Link Control), LAPDm (Link Access Protocol on the Dm channel),PDCP (Packet Data Convergence Protocol), RLC, MAC (Medium Access ControlProtocol), and PHY (Physical Layer)

In addition, the minimum value, which is set at min_MACI_len might alsodepend on the signaling message used. The grouping of signaling messagesinto different min_MACI_len categories can be carried out either simplyaccording to the message type. Grouping can be based on other factors aswell, such as on whether the message is so that for critical signalingmessages the value is greater than for non-critical signaling messages.For some non-critical messages the min_MACI_len could be set as low as 8bits, for example.

Utilised in combination with the techniques described with reference toFIGS. 5 to 7 the present invention may allow, in certain situations, alonger MAC-I, thereby further improving integrity.

The present invention is independent of the length of the messageauthentication code. Such code may be longer or shorter than 32 bits.The length may also differ between messages in one procedure.

It should also be noted that although this application is made only fromthe signaling standpoint, integrity protection can also be applied insome systems to the user plane data. The same principles and methodsdescribed in this application are applicable also for user plane datapackets, although the actual protocol layers performing the integrityprotection, and the message authentication code truncation would then bedifferent.

1. A method of providing message authentication in a communicationsystem comprising the steps of: transmitting a first message from afirst device to a second device; transmitting a second message from thesecond device to the first device, the second message including amessage authentication code determined using said first and secondmessages; transmitting a third message from the first device to thesecond device, the third message including a message authentication codedetermined using the third message.
 2. A method according to claim 1,further comprising the step of storing the first message in the firstdevice.
 3. A method according to claim 1 further comprising the stepsof: responsive to receipt of the second message, determining an expectedmessage authentication code using said first and second messages; andcomparing the expected message authentication code to the receivedmessage authentication code.
 4. A method according to claim 3 furthercomprising the step of discarding the second message if the expectedmessage authentication code does not match the received messageauthentication code.
 5. A method according to claim 1 further comprisingthe steps of: responsive to receipt of the third message, determining anexpected message authentication code using said third message; andcomparing the expected message authentication code to the receivedmessage authentication code.
 6. A method according to claim 5 furthercomprising the step of discarding the third message if the expectedmessage authentication code does not match the received messageauthentication code.
 7. A method according to claim 1, wherein the thirdmessage includes a message authentication code determined using thethird message and the second message.
 8. A method according to claim 7,further comprising the step of storing the second message in the seconddrive.
 9. A method according to claim 7, further comprising the stepsof: responsive to receipt of the third message, determining an expectedmessage authentication code using said third message and said secondmessage; and comparing the expected message authentication code to thereceived message authentication code.
 10. A method according to claim 9further comprising the step of discarding the third message if theexpected message authentication code does not match the received messageauthentication code.
 11. A method according to claim 1, wherein thethird message includes a message authentication determined using thethird message, the second message, and the first message.
 12. A methodaccording to claim 11, further comprising the step of storing said firstmessage in the second device.
 13. A method according to claim 11,further comprising the steps of: responsive to receipt of the thirdmessage, determining an expected message authentication code using saidthird message, said second message, and said first message; andcomparing the expected message authentication code to the receivedmessage authentication code.
 14. A method according to claim 13 furthercomprising the step of discarding the third message if the expectedmessage authentication code does not match the received messageauthentication code.
 15. A method according to claim 1 wherein the firstand second devices are elements of a mobile communication system.
 16. Amethod of providing message authentication in a communication systemcomprising transmitting a plurality of messages between a first deviceand a second device, wherein a message includes a message authenticationcode determined using at least said message and another message includesa further message authentication code determined using at least saidother message, whereby the number of required message authenticationcode computations and transmissions may be reduced to two independentlyof the number of steps of the authentication procedure.
 17. Acommunication system for providing message authentication between twocommunicating devices, each communicating device having respectivetransmitting and receiving means, and each communicating device havingmeans for generating a message authentication code, comprising: in thefirst device, transmitting a first message from the second device; inthe second device, transmitting a second message to the first device,the second message including a message authentication code determinedusing said first and second messages; in the first device transmitting athird message to the second device, the third messages including amessage authentication code determined using the third message.
 18. Acommunication system according to claim 17, further including, in thefirst device: responsive to receipt of the second message, determiningan expected message authentication code using said first and secondmessages; and comparing the expected message authentication code to thereceived message authentication code.
 19. A communication systemaccording to claim 17 wherein the second message is discarded if theexpected message authentication code does not match the received messageauthentication code.
 20. A communication system according to claim 17further comprising, in the second device: responsive to receipt of thethird message, determining an expected message authentication code usingsaid third message; and comparing the expected message authenticationcode to the received message authentication code.
 21. A communicationsystem according to claim 20 wherein the third message is discarded ifthe expected message authentication code does not match the receivedmessage authentication code.
 22. A communication system according toclaim 17, wherein the first device generates the third message includinga message authentication code determined using the third message and thesecond message.
 23. A communications system according to claim 22,wherein responsive to receipt of the third message, the second devicedetermines an expected message authentication code using said thirdmessage and said second message; and compares the expected messageauthentication code to the received message authentication code.
 24. Acommunications system according to claim 23 wherein the third message ifthe expected message authentication code does not match the receivedmessage authentication code.
 25. A communications system according toclaim 17 wherein the third message generated by the first deviceincludes a message authentication code determined using the thirdmessage, the second message, and the first message.
 26. A communicationsystem according to claim 25 wherein responsive to receipt of the thirdmessage, the second device determines an expected message authenticationcode using said third message, said second message, and said firstmessage; and compares the expected message authentication code to thereceived message authentication code.
 27. A communication systemaccording to claim 26 wherein the second device discards the thirdmessage if the expected message authentication code does not match thereceived message authentication code.
 28. A communication systemaccording to claim 17 wherein the first and second device are elementsof a mobile communication system.
 29. A communication system accordingto claim 28, wherein the first and second devices are one of a mobileterminal and a network element.
 30. A communication system according toclaim 28, wherein the mobile communication system comprises a GERANsystem.